Systems and Method for Retroactive Assignment of Personally Identifiable Information in Distribution of Digital Content

ABSTRACT

Systems and methods for retroactive assignment of personally identifiable information in distribution of content in accordance with embodiments of the invention are disclosed. In one embodiment, a method of controlling anonymity of user profiles includes generating an intermediate identifier using a playback device, where the intermediate identifier is random and different from intermediate identifiers used by other playback devices and is not known to be associated with the playback device by entities other than the playback device, sending the intermediate identifier associated with consumption data concerning content files that have been accessed on the playback device to an audience measurement server, aggregating the consumption data into an anonymous user profile, sending personally identifiable information about a user of the playback device to the audience measurement server, and combining the personally identifiable information about the user with the anonymous user profile.

FIELD OF THE INVENTION

The present invention relates generally to building anonymous user profiles in content systems and more specifically to enabling communication for which the privacy status and degree of anonymization can be controlled.

BACKGROUND OF THE INVENTION

Usage history is used in e.g. Facebook feeds, Netflix recommendations and Google personalized ads. The history may contain browsing history or audience measurement information (consumption data) such as what content was consumed with content type and duration and time for video content, or e.g. browsing social networks or search engines. To enable this, the history is associated with an identifier, representing the client and resulting recommendations are delivered targeted to the device or the user that is creating the history. The identifier is often based on information such as credit card, name, login/password, device ID, IP or MAC addresses. These identifiers are often directly or indirectly personally identifiable. Indirect identification is often accomplished by correlation of the information with other databases allowing to create and add personally identifiable information. This de-anonymization may not be desired by the user at the time of data collection and may be rejected by the user. In this case, the consumption data may not be stored and will be irrevocably lost. A method is described that allows storing the data anonymously and enables user control over the usage and level of possible attribution of personally identifiable information would.

SUMMARY OF THE INVENTION

Systems and methods for retroactive assignment of personally identifiable information in distribution of digital content in accordance with embodiments of the invention are disclosed. In one embodiment, a method of controlling anonymity of user profiles in playback of digital content includes generating an intermediate identifier using a playback device, where the intermediate identifier is pseudo random and different from intermediate identifiers used by other playback devices within a plurality of playback devices and is not known to be associated with the playback device by any entities other than the playback device, sending, using the playback device, the intermediate identifier associated with consumption data concerning content files that have been accessed on the playback device to an audience measurement server, aggregating, using the audience measurement server, the consumption data into an anonymous user profile associated with the intermediate identifier, where the audience measurement server does not possess information concerning which playback device the intermediate identifier is associated with, sending, using the playback device, personally identifiable information about a user of the playback device associated with the intermediate identifier to the audience measurement server, and combining, using the audience measurement server, the personally identifiable information about the user with the anonymous user profile linked by the intermediate identifier to generate a personalized user profile where the personalized user profile includes information concerning the user of the playback device the intermediate identifier is associated with.

In a further embodiment, generating an intermediate identifier using a playback device includes generating an intermediate identifier from a known identifier associated with the playback device using a secret transformation.

In another embodiment, sending, using the playback device, personally identifiable information about a user of the playback device to the audience measurement server includes sending identification of the secret transformation to the audience measurement server as a proof of identity.

In a still further embodiment, the method also includes generating feedback data based upon the anonymous user profile using the audience measurement server, broadcasting, using the audience measurement server, a feedback message containing the intermediate identifier and the feedback data to the plurality of playback devices including the playback device, and receiving the broadcast feedback message containing the intermediate identifier using the playback device.

In still another embodiment, broadcasting, using the audience measurement server, a feedback message containing the intermediate identifier and the feedback data to the plurality of playback devices including the playback device includes making available the feedback message for at least some of the plurality of playback devices to download.

In a yet further embodiment, the method also includes repeatedly generating a new intermediate identifier using the playback device after regular intervals.

In yet another embodiment, the intermediate identifier is a public key of a private and public key pair generated by the playback device.

In a further embodiment again, the intermediate identifier is encrypted.

In another embodiment again, a method of controlling anonymity of user profiles in playback of digital content includes generating an intermediate identifier using a playback device, where the intermediate identifier is pseudo random and distinguishable from intermediate identifiers used by other playback devices within a plurality of playback devices and is not known to be associated with the playback device by any entities other than the playback device, sending, using the playback device, the intermediate identifier and consumption data concerning content that has been played on the playback device to an audience measurement server, aggregating, using the audience measurement server, the consumption data into an anonymous user profile using the intermediate identifier, where the audience measurement server does not possess information concerning which playback device the intermediate identifier is associated with, generating feedback data based upon the anonymous user profile using the audience measurement server, broadcasting, using the audience measurement server, a feedback message containing the intermediate identifier and the feedback data to the plurality of playback devices including the playback device, receiving the broadcast feedback message containing the intermediate identifier using the playback device, and performing a playback feature on the playback device in response to the broadcast feedback message when the intermediate identifier contained in the broadcast feedback message matches the intermediate identifier on the playback device.

In a further additional embodiment, generating an intermediate identifier using a playback device includes generating an intermediate identifier from a known identifier associated with the playback device using a secret transformation.

In another additional embodiment, performing a playback feature on the playback device in response to the broadcast feedback message includes providing recommendations for future content for the user associated with the user profile.

In a still yet further embodiment, performing a playback feature on the playback device in response to the broadcast feedback message includes displaying personalized ads during playback of content.

In still yet another embodiment, broadcasting, using the audience measurement server, a feedback message containing the intermediate identifier and the feedback data to the plurality of playback devices including the playback device includes making available the feedback message for at least some of the plurality of playback devices to download.

In a still further embodiment again, sending, using the playback device, the intermediate identifier and viewing data concerning content that has been played on the playback device to an audience measurement server, and broadcasting, using the audience measurement server, a feedback message containing the intermediate identifier and the feedback data to the plurality of playback devices including the playback device, are performed using an anonymous communications network.

In still another embodiment again, the method also includes repeatedly generating a new intermediate identifier using the playback device after regular intervals.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a system diagram of an audience measurement system utilizing intermediate identifiers in accordance with embodiments of the invention.

FIG. 2 conceptually illustrates an audience measurement server configured to collect audience measurement data and broadcast messages in accordance with embodiments of the invention.

FIG. 3 conceptually illustrates a playback device configured to receive and play back content utilizing an intermediate identifier in accordance with embodiments of the invention.

FIG. 4 illustrates a process for collecting anonymous viewing data using intermediate identifiers in accordance with embodiments of the invention.

FIG. 5 illustrates a process for anonymous collection of audience measurement or consumption data using intermediate identifiers in accordance with embodiments of the invention.

FIG. 6 illustrates a process for performing anonymous purchase, distribution and consumption of content using an intermediate identifier in accordance with embodiments of the invention.

DETAILED DISCLOSURE OF THE INVENTION Overview

Turning now to the drawings, systems and methods described that allows storing the data anonymously and enables user control over the usage and level of possible attribution of personally identifiable information in accordance with embodiments of the invention. To anonymize information, a mechanism could be used that anonymizes information or doesn't store information at the head end. However, in that case, the server controls the behavior and needs to be trusted. The client cannot be sure that the information is not stored and that the anonymization process removed the personalization information irrevocably and that the data is not used to de-anonymize in verification for overlap with other datasets.

Anonymous matching has been suggested in U.S. Patent Publication No. 2002/0052825 to Bensemana but this still requires and intermediate proxy that stores or could store personalization information, at least temporarily requiring the client to rely on trusting the server.

Anonymous communication has been suggested in the literature, e.g. by the torproject (https://www.torproject.org), and is utilized to enable some embodiments of the present invention, but not sufficient, as these don't contemplate any information or anonymous identifier of the sender that can be used to group users information into anonymous profiles that describe several actions of a user and means to contact submitters of this information anonymously to provide feedback.

Other approaches have been suggested in PCT Patent Publication No. 1996/17467 to Salganicoff to secure the information of consumption behavior in transmission or storage but don't prevent sharing the identifying information of the source.

Embodiments of the present invention does not only enable the client to control the generation, release and storage of data, it also enables anonymous storage with retroactive assignment to personally identifiable information (PII) enabling an option to retroactively make the data more valuable by assigning personal information to them and enabling a user action to claim, use, copy or transfer the data. The retroactive assignment can be done for the entire data or groups of information or intervals. In many embodiments, the assignment is secured and the client can prove ownership to any owner of the database.

Several embodiments of the present invention also enable delivery of feedback data and/or viewing recommendations resulting from analysis of a client's identifier while staying anonymous, using a broadcast message where the single recipient addressed by the message that has been sent to all, is not known by the server sending the message. In some embodiments, the receipt of feedback data enables or enforces additional functionality on the playback device.

Collecting data associated with personal identifiable information (PII) often may affect privacy (it may be undesirable or illegal). In additional embodiments of the invention, the utilization of an intermediate identifier (also referred to as a token or private token) or alias that allows collection of transaction data anonymously and later group transaction per user and in a following step assigns PII to collected data upon initiative by the client. This can enable data collection while maintaining client control of PII (personal identifiable info) by separating data and PII until the point when the client would like to associate PII retroactively.

System Architecture

A playback device may use an intermediate identifier to enable anonymous content consumption. An intermediate identifier can be used to limit the identifiability of a user or playback device by acting as an identifier whose association with a particular user or playback device cannot be determined by another entity without additional information from the user or playback device. An intermediate identifier may be generated on a playback device and kept secret. In several embodiments, an intermediate identifier can be sent to other entities such as servers as part of data gathering while keeping the user or playback device anonymous, and/or additional information identifying the user or playback device may be disclosed for other purposes.

An audience measurement system in accordance with embodiments of the invention is illustrated in FIG. 1. The illustrated system 101 includes a content server 112 configured to distribute content to playback devices and an audience measurement server 114 configured to receive messages and associated intermediate identifiers from playback devices. The audience measurement server may store information about time, length and location of content consumption of video, computer games, apps, social networks, teleconferencing, websites, or other digital assets.

A variety of playback devices 116, 118, and 120 can play back content stored locally or received from content server 112 via a first network 122 such as the Internet. In many embodiments, a playback device is configured to measure the user behavior during consumption of content (e.g., information such as identification of what and when content is played) and provide measurements to the audience measurement server.

In the illustrated embodiment, playback devices include mobile phone 116, television 118, and personal computer 120. In other embodiments, playback devices can include any of various types of consumer electronics devices such as, but not limited to, DVD players, Blu-ray players, set top boxes, video game consoles, tablets, e-book readers, VR displays and other devices that are capable of connecting to a server and playing back digitally encoded media.

In several embodiments, a playback device may communicate with an audience measurement server, vendor server, or other participating server via another network (a second network). The network may provide anonymity or pseudo-anonymity when communicating the playback device's intermediate identifier to the server. Anonymity can refer to the complete inability of entities other than the playback device to identify the playback device or user account used on the playback device. Similarly, pseudo-anonymity can refer to the ability to identify being impracticable and/or difficult. This can be implemented by a second network 124 that provides communications by an anonymous protocol that preserves anonymity of the playback device. Alternatively, this can be implemented on the same network as the first network, but using anonymous communications such as, but not limited to, an anonymity preserving protocol like onion routing using implementations like Tor. While client device 120 is illustrated as communicating with audience measurement server 114 over the second network 124, client devices 116 and 118 may similarly communicate with audience measurement server 114 over the second network 124. Although a specific audience measurement system architecture is discussed above with respect to FIG. 1, any of a variety of streaming systems can be utilized to deliver content streams in accordance with embodiments of the invention.

An audience measurement system for providing feedback data messages by broadcast in accordance with embodiments of the invention is illustrated in FIG. 1B. A variety of playback devices 116′, 118′, and 120′ can receive a broadcast message from content server 114′ via a third network 126 that is capable of broadcast addressing to connected devices. Alternatively, this can be implemented on the same network as the first or second network, but using a communications protocol that is capable of broadcast addressing.

While specific system architectures are discussed above with respect to FIGS. 1 and 1B, one skilled in the art will recognize that any of a variety of architectures may be utilized in accordance with embodiments of the invention as appropriate to a particular application.

Audience measurement servers in accordance with many embodiments of the invention can load a collection application and/or a message broadcast application as machine readable instructions from memory or other storage. An audience measurement server in accordance with an embodiment of the invention is illustrated in FIG. 2. The audience measurement server 202 includes a processor 204 and non-volatile memory 210 that includes a collection application 212 and a message broadcast application 214. In the illustrated embodiment, the non-volatile memory 210 is utilized to store instructions that configure the processor 204 to perform processes such as those discussed further below. In several embodiments, a collection application and/or message broadcast application can be loaded from any kind of memory or storage device including volatile memory in accordance with many embodiments of the invention.

The collection application 212 can configure the audience measurement server 202 to receive anonymous consumption data associated with an intermediate identifier from playback devices. The message broadcast application 214 can configure the audience measurement server 202 to send a message containing an intermediate identifier for a playback device to respond with enabling certain features. As will be discussed further below, broadcast messages can be sent containing the intermediate identifier to playback devices so that the device having the intermediate identifier reacts upon receipt without the content server, audience measurement server, and/or other entities being able to identify the playback device. In many embodiments, broadcast messages include feedback data generated from analysis of consumption data. Upon receipt by a playback device, feedback data can enable additional functionality and/or provide content recommendations. In different embodiments, the collection application 212 and message broadcast application 214 can be implemented as a single application on the audience measurement server or as separate applications on separate servers (e.g., a collection server and a broadcast server).

Playback devices in accordance with many embodiments of the invention can load a playback application as instructions from memory. A playback device in accordance with an embodiment of the invention is illustrated in FIG. 3. The playback device 302 includes a processor 304 and non-volatile memory 310 that includes a playback application 312, intermediate identifier generation application 316, and intermediate identifier 314. In many embodiments, the applications can be loaded from any kind of memory or storage device including volatile memory in accordance with many embodiments of the invention. In the illustrated embodiment, the non-volatile memory 310 is utilized to store instructions that configure the processor 302. Here, the non-volatile memory 310 contains the instructions of a playback application 312, which can be utilized to configure the processor 304 to receive and decode media content. In further embodiments, the playback application 312 configures the processor to take certain enhanced playback actions when a broadcast message containing the intermediate identifier associated with the playback device (e.g., feedback data) is received by the playback device as will be discussed further below.

The intermediate identifier generation application 316 can configure the playback device 302 to generate an intermediate identifier 314 by generating a long random number or using a process such as those discussed further below. In many embodiments, an intermediate identifier is typically stored on the playback device sent to participate in interactions anonymously without personally identifiable information. In additional embodiments, an intermediate identifier may be provided to a server for anonymously purchasing content, anonymously reporting viewing statistics or other purposes such as those discussed further below. In many embodiments of the invention, disclosures of the intermediate identifier to another entity are only made by secure (e.g., encrypted) and/or anonymous methods whereby the playback device and/or user identity (e.g., user account) associated with the intermediate identifier cannot be identified. In this way, the user can maintain his or her privacy.

Although an anonymous audience measurement system utilizing intermediate identifiers is described above with respect to a specific audience measurement server and playback device, any of a variety of transmitting or decoding systems can be utilized in the transmission and decoding of content as appropriate to specific applications in accordance with embodiments of the invention.

Intermediate Identifier Generation

In many embodiments of the invention, an intermediate identifier (also called token) is generated or selected by a client playback device to allow identification of that device or a user account on the device, and is not known by any other entity (e.g., device or server) to be associated with that device or user account, and the device that generated the intermediate identifier cannot be easily identified from the intermediate identifier alone without additional information. The intermediate identifier is shared with other entities, such as an audience measurement server, for anonymous collection of data, i.e., that initially cannot be traced back to that particular playback device or user account until and unless the client reveals the association. As discussed below, any of a number of techniques can be utilized alone or in combination to select or generate an intermediate identifier for a playback device in accordance with embodiments of the invention.

An intermediate identifier may be a random or pseudo-random number. Collision may occur where two or more devices have the same intermediate identifier. The risk of collision can be reduced to a negligible risk by using a larger degree of randomness in generating the number and/or using a larger number.

In several embodiments, an intermediate identifier is generated using a fixed, seed number in combination with a random or pseudo-random number encrypted with a secret key that is unique and permanently associated with the playback device or user account. The playback device can provide proof of its identity and having generated the intermediate identifier by including the fixed, seed number.

In some embodiments, an intermediate identifier is generated from a device identifier that is unique to and associated with the device. A device identifier may be static and may have been generated during device provisioning or registration. The device identifier may be unique to the device. Also, a serial number of a device component such as hard drive, chip, soundcard, may be used directly or after a transformation such as hashing. These existing identifiers are useful, in particular since they may be unique, static and not traceable if not record of the link to the device exists.

An intermediate identifier may be generated using encryption, where the process of generating the intermediate identifier includes selecting an encryption key.

An intermediate identifier may be generated using a hash algorithm using a device identifier, such that the device identifier cannot be recovered using only the intermediate identifier, but it can be verified that the intermediate identifier was generated using that device identifier by performing the hash again and comparing the results. The hash can be seeded for greater variety over time and the seed may be provided by broadcast message to all playback devices.

An intermediate identifier may be a public key in an asymmetric key (encryption) scheme or, to reduce the size, a hash thereof. The private key utilized in the scheme would be known only to the device or user and not released to the public. This allows a playback device to prove that it had generated the intermediate identifier and allows a broadcaster of a message to encrypt the message in such a way that only the intermediate identifier holder, the playback device, can decrypt using the private key.

In several embodiments of the invention, an intermediate identifier is encrypted to prevent disclosure, such as repeated use of the same private payload, to entities other than the playback device and/or server. It may be encrypted using a shared secret key that is known to the playback device and the server or using a public key associated with the server. This allows the server to derive an encryption key from the client to establish secure communications.

In additional embodiments, an intermediate identifier includes a component that is static and associated with a group of clients, e.g. certain members of a network, such that broadcast messages are accessible to the group. The component can be any type of additional information identifier such as, but not limited to, a time stamp and/or device type.

The generation and change to the intermediate identifier may be signaled to and/or requested by the user's client device to foster transparency or discourage illegal content distribution.

In some embodiments, the user's client device may generate its own private identifier like a pseudonym or alias. Typically in such embodiments this cannot be altered at will, since a user who is distributing content may not want to avoid enforcement actions if his client device will receive them. However there can be scenarios where the person able to choose the alias or pseudonym can be trusted e.g. a system administrator that is choosing an ID for a group of users or on campus or scenarios where no enforcement action is envisioned.

The alias is an identifier relating to a user or client id, like a pseudonym, moniker. It can be derived from a base identifier that is known to the server and client e.g. assigned by the server and transformed by the client. In the preferred embodiment, the transformation is not reversible and contains a secret component that is revealed to proof the client's identity. Several processes can accomplish that. E.g. the server assigns a unique number, the client is returned a transaction with the unique number and a transformation thereof such as a hash of the unique number combined with a random number that the client has generate and stored. Encryption using the random number accomplishes a similar result.

Alternatively to storing the random number it may be a function to reproduce this number such as a seed to a random number generator or a hash of the timestamp combined with a constant password. The seed may be randomly generated and stored on the client or it may be a static number already present on the device like a hard-drive serial number or other number assigned to the device or application.

The alias may be changed regularly, to allow time granularity when claiming data or personal information to data. E.g. the base identifier and random number to generate the alias may change on a daily basis or with every set of transaction information submitted to the server. This would prevent the server from linking the data between days or transactions but would allow the client to only reveal its identity for selected portions while revealing the identity for other portions at a later time, if at all.

Similarly, the alias may be changed for different groups of information, such as channel change or trickplay in media consumption to allow attribution of a subset of the data in a later stage. This may go as far as using a different alias for every transaction to provide maximum granularity and to later allow individual assignment.

The alias generation may be used on multiple devices to share the same alias between different devices to allow combining data from different devices in a single step. A gateway in the home may manage these multiple aliases.

In several embodiments, the intermediate identifier is pseudo random, i.e. varying between different intermediate identifiers with a high entropy and from the intermediate identifiers itself there is no apparent structure in generation.

Additional Security Benefits

A benefit of certain embodiments of the present invention, as described above, is the control that the client has in releasing information to the server, so the client does not need to trust the server that the information will be removed and maintains the ability to later claim and enhance the information. Alternatively the present invention is useful to enhance the security of the total solution against hacking by a 3^(rd) party. To enable this, the client provides its identity occasionally but the server does not store it and only has a small subset of identities at the same time. Even if a hacker gains access to the head end, she will not be able to steal all identities as they are managed decentralized and not all will be accessible at the same time. In addition to the anonymity the intermediate identifier provides, any consumption data that is stored may also be encrypted with a key, initially known to the client only. This distributed security allows keeping the data confidential, i.e. the data is resolved on request only but the client device is the only location that permanently stores the intermediate identifier. This is helpful to prevent a central database that can be hacked.

Intermediate Identifier Length and Collision

Collision may occur where two or more playback devices independently generate the same intermediate identifier R by accident e.g. as output of a random process. This scenario can cause confusion among the playback devices as messages or actions that are meant to apply to one device having the intermediate identifier R may affect all the devices having the same intermediate identifier R. The likelihood of collision can be expressed as the well-known birthday problem, for example, the probability that some pair of randomly chosen people in a set will have the same birthday (see https://en.wikipedia.org/wiki/Birthday_problem#Probability_table). For an intermediate identifier length of 32 bits and 2,900 clients, the probability is 0.1% that two or more clients are using the same hash. For larger populations a longer string may be chosen, e.g., for a length of 64 bits and 190,000,000 clients the probability is 0.1% that two or more clients are using the same hash. Even longer intermediate identifier lengths would result in lower likelihoods, for example, for a length of 128 bits and 2.6×10¹³ clients, the probability is p=10¹². A longer string length can be chosen as appropriate to a particular application considering any burden on communications efficiency. The risk of collision may also be limited and could be that a device that is not responsible for illegally distributing content is disabled for a limited period of time.

Processes for Anonymous Storage of Viewing Data and Retroactive Assignment of PII

Intermediate identifiers are used in various embodiments of the invention to provide anonymous storage of viewing data with retroactive assignment of personally identifiable information (PII). A process for anonymous storage and retroactive assignment using an intermediate identifier in accordance with embodiments of the invention is illustrated in FIG. 4. In the illustrated process, the client playback device generates (402) an intermediate identifier and submits it together with a transaction to an audience measurement server for anonymous data collection. Transactions can be any of a variety of interactions or messages related to content consumption such as, but not limited to, a video-on-demand (VOD) purchase, consumption (i.e. playback or viewing), ad watching, channel change, consumption device, etc.

The generation of the intermediate identifier may be performed the same way for multiple devices and may be different for different times. It can be in the user's control to create the same intermediate identifier for all devices controlled by the user using an account or login, or different intermediate identifiers, in order to create different user profiles in one account e.g. for different members of a family sharing the same account.

The client playback device sends (404) the intermediate identifier and transaction information to an audience measurement server. The audience measurement server stores (406) the information as history and is able to group all transactions that have been registered under one intermediate identifier to create a profile.

The profile is analyzed (408) for patterns in the consumption (i.e., viewing or playback) of various pieces of content and/or related activities. Patterns may help to identify consumer preferences for content or consumption time or a combination thereof to establish recommendations for future consumption of e.g. linear programming, video on demand consumption, or other media like websites. Alternatively, the pattern can be used to analyze for technical issues with playback such as malfunctioning devices or limits in smooth playback due to limited device processing or bandwidth. The analysis can be performed by the audience measurement server that may include functionality of an analytics server.

In some embodiments, results of the analysis is supplied (410) as feedback data to the client device by the audience measurement server or other server that had performed the analysis. If the identity of the client is not known, the feedback data is made available to all clients anonymously e.g. by broadcasting the result as a message to all client devices, e.g. embedded in transport stream packages on cable or satellite such as EMM packets, delivering information with software upgrade to clients or made available for anonymous download using existing mechanism for anonymous communication that e.g. utilize several clients and intermediaries to download the information for the ultimate recipient that is looking for the information. The message is addressed to the intended client device by using the intermediate identifier that only the receiving client device knows is associated with it. If the information should be protected from others it may be encrypted with a key (that can be secret or public) submitted by the client device with the intermediate identifier. In several embodiments, this communication is similar to a private token used for communication disclosed in U.S. Patent Application Ser. No. 62/273,043 to Thorwirth et al. entitled “Systems and Methods for Preserving Privacy in Distribution of Digital Content Using Private Tokens,” the relevant disclosure from which is hereby incorporated by reference in its entirety.

The feedback data received by the client device can be useful for executing (412) any of a number of enhanced features, including, but not limited to, displaying of recommendations, information about warning and remedy of malfunctions, or ads that match the consumption profile of the user. In other embodiments, the aggregated data is only used on the sever.

In additional embodiments, the client device is in control to release some parts of the information individually, i.e. personally identifiable information (PII), profile information consumption per day or all consumption. The client device can maintain control what to release and at what time and to whom. At any point the user of the client device may be motivated to provide (414) more information e.g. using financial incentives or an improved service offering. This information may include additional transactions, or personal information, such as demographic (gender, age, zip, income, etc.) or information such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and medical, educational, financial, and employment information, or information correlating to other public statements e.g. posted on platforms like Facebook, Twitter, etc. Another source of information to provide can also be a link to identifiers in other databases that may not use an intermediate identifier as described here or other identifier that is personally identifiable. Additional information can include browsing history, credit card transactions, email. The user may be motived to release this information with financial incentives or additional services or for better feedback from the data analysis. In this way, an intermediate identifier can be used to retroactively assign personally identifiable information to information that was previously anonymized.

Another reason to use retroactive assignment may be the change of legal requirements that later allow the use of this information.

If the client desires to provide history, the intermediate identifiers for the relevant duration are provided for data collection to groups all transactions associated with these identifiers together.

In several embodiments, a retroactive assignment of PII to an intermediate identifier and the associated user profile enables retroactive recommendations where the data is stored but only used once the data is retroactively enabled to allow this service.

In other embodiment the approach is useful for client to prove limited usage and to decide to pay for lower usage fees than a unlimited bundle by proving usage when enabling PII association.

In additional embodiments, a retroactive assignment of PII to an intermediate identifier and the associated user profile enables an entity to buy transaction data from an individual customer and/or sell transaction data of the individual customer.

In some embodiments of the invention, the intermediate identifier is rotated or changed (416) on the client device after some period of time or at regular intervals of time. In some embodiments, a previous intermediate identifier is used for the next submission to the audience measurement server. In other embodiments, a new intermediate identifier is generated by the client device. The rotation may occur after the client disclosed it personal information to keep future information anonymous or before in order to allow de-anonymization by providing personal information for some identifiers only. Although a specific process for generating an intermediate identifier and building a user profile is discussed above with respect to FIG. 4, any of a variety of processes may be utilized in accordance with embodiments of the invention as appropriate to a particular application.

Examples of Data to be Processed and User Profiles

In one embodiment, data, consumption data and audience measurement data refer to information about user behavior. It can be observed on the client when content us consumed or on the server when content is prepared and delivered. Examples include the consumption of video, linear TV, radio, music files, games, apps, social networks, teleconferencing and websites. Observation includes the consumption title, duration, location, interaction or processes like download requests, or derivative processes like requests for decryption keys required to decrypt the data. Data can be registered at the server e.g. during download request or, during offline consumption stored on the client and transmitted later.

The data can be assembled to characterize the consumer; characterization may include viewing preferences that may be combined with learned preferences from collaborative filtering to conclude other content that may be interesting for the consumer. Consumption data can also be analyzed to allow conclusions about the consumer's gender, age, income or other demographics, as well as consumption preferences that will help to target advertisement. Other profiles group consumers into how they prefer consumption (i.e. device type, time of day, available bandwidth etc.). Profiles can be compared to other important properties such as consumption of other goods and services (for purchase or subscription) or cancellation of service (also known as churn prediction).

Anonymous User Recommendations for Content

A process for anonymously collecting viewing data and creating user recommendations in accordance with embodiments of the invention is illustrated in FIG. 5. The process 500 includes generating (502) an intermediate identifier. An intermediate identifier may be generated by any of a variety of techniques including those discussed further above. In many embodiments, a playback device generates the intermediate identifier. The playback device sends (504) the intermediate identifier with audience measurement data for anonymous data collection to an audience measurement server, which may be a content server or other server dedicated to collecting audience measurement data. Audience measurement data may describe usage statistics such as, but not limited to, the titles of content that was played back by the device and watched by the user, number of times that each piece of content was played, times of day of use, and other information concerning the content that was watched by the user. The intermediate identifier and audience measurement data can be sent at a regular interval and/or with purchase transactions or playback requests sent by the playback device.

The audience measurement server aggregates (506) the received data. The received data can be used to build a user profile that describes past viewing habits or patterns and/or the likelihood that a user would enjoy certain categories or characteristics of content. In several embodiments, the audience measurement server may utilize audience measurement data from other playback devices or users in generating (508) viewer profiles and/or content recommendations.

Generated content recommendations or feedback data may be sent (510) anonymously from the audience measurement server by broadcast message that includes the intermediate identifier of the playback device. The playback device having that intermediate identifier can present the recommendations to the user on a user interface or by integrating the recommendations into a playback application. When the audience measurement server can identify the playback device, it can send the content recommendations directly, i.e., by unicast, rather than by broadcast. Although a specific process for collecting audience measurement data anonymously and generating content recommendations using intermediate identifiers is described above with respect to FIG. 5, one skilled in the art will recognize that any of a variety of processes may be utilized in accordance with embodiments of the invention.

Processes for Anonymous Content Consumption

A process for anonymous content consumption in accordance with embodiments of the invention is illustrated in FIG. 6. The process 600 includes a playback device generating (602) an intermediate identifier P. The intermediate identifier P or a derivative of P (e.g., a hash) may be displayed to a user on a screen on the playback device or on a display that is in communication with the device. In some embodiments the intermediate identifier P is converted into a bar code or QR code that is displayed on a TV screen connected to a satellite TV set top box (STB). In other embodiments, the intermediate identifier P or derivative of P may be communicated to the user by other methods or may be saved in a file to be sent by the playback device.

The intermediate identifier P is sent (604) to a vendor server. A vendor server may be a content server, web server, or storefront server or combination thereof that is configured to provide access to content in exchange for payment and is controlled by a content retailer, reseller, or distributor. As discussed further above, the intermediate identifier P may be communicated via another network (a second network) or another type of communications that provides anonymity or pseudo-anonymity when communicating the playback device's intermediate identifier to the vendor server. Payment for the content can be made by similar methods. Payment may also be given by other anonymous methods such as Bitcoin or Bitcoin pooling or being anonymized by an intermediary such that the playback device and/or user cannot be identified. In several embodiments, the intermediate identifier P and payment are sent together. In other embodiments, they are sent separately.

The vendor server or an associated rights management server sends (606) a broadcast message containing a decryption key that enables access to the purchased content, where the decryption key is encrypted using the intermediate identifier R, a derivative of P (e.g., a hash), or identifier that identifies P. In many embodiments, the decryption key is a frame key that can be used to decrypt one or more frames of the content. In other embodiments, the decryption key is a content key that can be used to decrypt one or more frame keys. In additional embodiments, the decryption key may be any key that is used in a digital rights management scheme to access the content by itself or in combination with other keys. In several embodiments, playback devices that do not possess the intermediate identifier P are unable to access the decryption key from the broadcast message and only the playback device that possesses the intermediate identifier P can recover the decryption key from the broadcast message using the intermediate identifier P.

The encrypted content is sent to and received (608) by the playback device. The playback device decrypts (610) the encrypted decryption key contained in the broadcast message using the intermediate identifier P and uses the decryption key to access (612) the content. In several embodiments utilizing the process described above, the vendor provides content that is accessible only by the playback device that has intermediate identifier P but cannot identify which playback device is the device that has intermediate identifier P. In other embodiments the content can be distributed widely, e.g. encrypted on peer to peer networks where content acquisition is hard to observe. In this way, privacy of the playback device and/or user can be preserved. Although a specific process for anonymous content playback is described above with respect to FIG. 6, one skilled in the art will recognize that any of a variety of processes may be utilized in accordance with embodiments of the invention to distribute content secured with an intermediate identifier that protects the identity of the playback device.

Securing Distributed Data

The ability to distribute information that enhances the data is also useful to secure the data. Since the intermediate identifier is controlled by the client and required to enhance the data a central breach of the data base would be less harmful without the required intermediate identifiers. Storing the data centrally and the intermediate identifier locally in the client devices enhances the security of the central storage. In this case the client permission or accessibility or delay when providing the intermediate identifier would prevent a quick and easy theft of the central data. For example medical records may be stored in a central location but the intermediate identifiers are stored with the clients and need to be requested with every access to build hurdles for easy access, enhancing security against illegal use. Other use cases include the securing of the content as prescribed from legal conditions where data that is personally identifiable may not be stored, stored long term or transmitted or shared. If the data is stored with anonymous intermediate identifiers, these processes may be legal and personal information is associated if legal conditions change or user consent is acquired.

Additional Applications

The general system discussed above can be used in a variety of data collection and storage applications. Media consumption is an example that can be extended past linear TV and VOD to OTT (over the top) video, video in websites, online radio channels and individual radio channels like Pandora. Use of recommendations can be presented to be selected by the user or aligned in a personalized TV channel. One example of the implementation of a personalized TV channel that may be utilized in accordance with embodiments of the invention is outlined in U.S. Patent Publication No. 2014/0026052 to Thorwirth entitled “Systems and Methods for Rapid Content Switching to Provide a Linear TV Experience Using Streaming Content Distribution,” the disclosure from which relevant to displaying and playing back streaming content in channels is hereby incorporated by reference in its entirety.

Other applications include consumption of utilities such as, power, gas, water with feedback on consumption patterns and information on how to reduce or replace consumption or how to shift consumption to other times to be more efficient. Other information can be provided such as time comparison or comparison to other households that are similar in occupancy, location or size.

Other sensors in the house connected to the internet (often called IoT—internet of things) like light switches, sprinkler systems, thermostats, picture frames, fridges, shopping lists or home security system including cameras, motion sensors, sensors for temperature and gases create data that is useful to store and contains information that the user may want to have accessible but not associable with herself and can be usefully managed with embodiments of the present invention.

Although the present invention has been described in certain specific aspects, many additional modifications and variations would be apparent to those skilled in the art. It is therefore to be understood that the present invention may be practiced otherwise than specifically described, including various changes in the implementation such as utilizing encoders and decoders that support features beyond those specified within a particular standard with which they comply, without departing from the scope and spirit of the present invention. Thus, embodiments of the present invention should be considered in all respects as illustrative and not restrictive. 

What is claimed is:
 1. A method of controlling anonymity of user profiles in playback of digital content, the method comprising: generating an intermediate identifier using a playback device, where the intermediate identifier is pseudo random and different from intermediate identifiers used by other playback devices within a plurality of playback devices and is not known to be associated with the playback device by any entities other than the playback device; sending, using the playback device, the intermediate identifier associated with consumption data concerning content files that have been accessed on the playback device to an audience measurement server; aggregating, using the audience measurement server, the consumption data into an anonymous user profile associated with the intermediate identifier, where the audience measurement server does not possess information concerning which playback device the intermediate identifier is associated with; sending, using the playback device, personally identifiable information about a user of the playback device associated with the intermediate identifier to the audience measurement server; and combining, using the audience measurement server, the personally identifiable information about the user with the anonymous user profile linked by the intermediate identifier to generate a personalized user profile where the personalized user profile includes information concerning the user of the playback device the intermediate identifier is associated with.
 2. The method of claim 1, wherein generating an intermediate identifier using a playback device comprises generating an intermediate identifier from a known identifier associated with the playback device using a secret transformation.
 3. The method of claim 2, wherein sending, using the playback device, personally identifiable information about a user of the playback device to the audience measurement server comprises sending identification of the secret transformation to the audience measurement server as a proof of identity.
 4. The method of claim 1, further comprising: generating feedback data based upon the anonymous user profile using the audience measurement server; broadcasting, using the audience measurement server, a feedback message containing the intermediate identifier and the feedback data to the plurality of playback devices including the playback device; and receiving the broadcast feedback message containing the intermediate identifier using the playback device.
 5. The method of claim 4, wherein broadcasting, using the audience measurement server, a feedback message containing the intermediate identifier and the feedback data to the plurality of playback devices including the playback device comprises making available the feedback message for at least some of the plurality of playback devices to download.
 6. The method of claim 1, further comprising repeatedly generating a new intermediate identifier using the playback device after regular intervals.
 7. The method of claim 1, wherein the intermediate identifier is a public key of a private and public key pair generated by the playback device.
 8. The method of claim 1, wherein the intermediate identifier is encrypted.
 9. A method of controlling anonymity of user profiles in playback of digital content, the method comprising: generating an intermediate identifier using a playback device, where the intermediate identifier is pseudo random and distinguishable from intermediate identifiers used by other playback devices within a plurality of playback devices and is not known to be associated with the playback device by any entities other than the playback device; sending, using the playback device, the intermediate identifier and consumption data concerning content that has been played on the playback device to an audience measurement server; aggregating, using the audience measurement server, the consumption data into an anonymous user profile using the intermediate identifier, where the audience measurement server does not possess information concerning which playback device the intermediate identifier is associated with; generating feedback data based upon the anonymous user profile using the audience measurement server; broadcasting, using the audience measurement server, a feedback message containing the intermediate identifier and the feedback data to the plurality of playback devices including the playback device; receiving the broadcast feedback message containing the intermediate identifier using the playback device; and performing a playback feature on the playback device in response to the broadcast feedback message when the intermediate identifier contained in the broadcast feedback message matches the intermediate identifier on the playback device.
 10. The method of claim 9, wherein generating an intermediate identifier using a playback device comprises generating an intermediate identifier from a known identifier associated with the playback device using a secret transformation.
 11. The method of claim 9, wherein performing a playback feature on the playback device in response to the broadcast feedback message comprises providing recommendations for future content for the user associated with the user profile.
 12. The method of claim 9, wherein performing a playback feature on the playback device in response to the broadcast feedback message comprises displaying personalized ads during playback of content.
 13. The method of claim 9, wherein broadcasting, using the audience measurement server, a feedback message containing the intermediate identifier and the feedback data to the plurality of playback devices including the playback device comprises making available the feedback message for at least some of the plurality of playback devices to download.
 14. The method of claim 9, wherein: sending, using the playback device, the intermediate identifier and viewing data concerning content that has been played on the playback device to an audience measurement server; and broadcasting, using the audience measurement server, a feedback message containing the intermediate identifier and the feedback data to the plurality of playback devices including the playback device; are performed using an anonymous communications network.
 15. The method of claim 9, further comprising repeatedly generating a new intermediate identifier using the playback device after regular intervals. 